#!/usr/bin/env -S nft -f table inet ${IFACE}_inet { chain postrouting { type nat hook postrouting priority 100; iif ${IFACE} oif { {{ [ ansible_default_ipv4.interface | default(ansible_default_ipv6.interface), ansible_default_ipv6.interface | default(ansible_default_ipv4.interface) ] | unique | join(", ") }} } masquerade; } } table ip ${IFACE}_ipv4 { chain prerouting { type nat hook prerouting priority -100; {% for forward in vpn_bridge_dnat %} iif {{ ansible_default_ipv4.interface | default(ansible_default_ipv6.interface) }} meta l4proto { tcp, udp } th dport { {{ forward.ports | join(", ") }} } dnat to {{ forward.inet_address }}; {% endfor %} } chain forward { type filter hook forward priority 0; {% if local_inet_network is defined %} ct state established,related accept; iif ${IFACE} ip daddr {{ local_inet_network }} drop; {% endif %} {% if vpn_bridge_local_only_inet_daddr %} # Drop all external traffic for these addresses. ip saddr != {{ vpn_bridge_inet_subnet }} ip daddr { {{ vpn_bridge_local_only_inet_daddr | join(", ") }} } drop; {% endif %} } } table ip6 ${IFACE}_ipv6 { chain prerouting { type nat hook prerouting priority -100; {% for forward in vpn_bridge_dnat %} iif {{ ansible_default_ipv6.interface | default(ansible_default_ipv4.interface) }} meta l4proto { tcp, udp } th dport { {{ forward.ports | join(", ") }} } dnat to {{ forward.inet6_address }}; {% endfor %} } chain forward { type filter hook forward priority 0; {% if local_inet6_network is defined %} ct state established,related accept; iif ${IFACE} ip6 daddr {{ local_inet6_network }} drop; {% endif %} {% if vpn_bridge_local_only_inet6_daddr %} # Drop all external traffic for these addresses. ip6 saddr != {{ vpn_bridge_inet6_subnet }} ip6 daddr { {{ vpn_bridge_local_only_inet6_daddr | join(", ") }} } drop; {% endif %} } }